Required arguments

<stats-func>...

Syntax: count(<field>) | <function>(<field>) [AS <string>]

Description: Either perform a basic count of a field or perform a function on a field. For a list of the supported functions for the tstats command, refer to the table below. You can specify one or more functions. You can also rename the result using the AS keyword, unless you are in prestats mode. You cannot use wildcards to specify field names. You cannot use a BY clause with the tstats command. See Usage.

Optional arguments

Description: When in prestats mode (prestats=t), enables append=t where the prestats results append to existing results, instead of generating them.

local

Syntax: local=<bool>

Description: If true, forces the processor to be run only on the search head. Defaults to false.

prestats

Syntax: prestats=<bool>

Description: Use this to output the answer in prestats format, which enables you to pipe the results to a different type of processor, such as chart or timechart, that takes prestats output. This is very useful for creating graph visualizations. Defaults to false.

summariesonly

Syntax: summariesonly=<bool>

Description: Only applies when selecting from an accelerated datamodel. If true, this will only generate results from the tsidx data that has been automatically generated by the acceleration. If false, also generates results from search for missing tsidx data. Defaults to false.

<field-list>

Syntax: <field>, <field>, ...

Description: Specify a list of fields to group results.

Description

The tstats command is a generating processor, so it must be the first command in a search pipeline except in append mode (append=t).

Use the tstats command to perform statistical queries on indexed fields in tsidx fields. You can select from data in several different ways:

1. Normal index data: If you do not supply a FROM clause (to specify a namespace, search job ID, or datamodel), Splunk selects from index data in the same way as search. You are restricted to selecting from your allowed indexes by role, and you can control exactly which indexes you select from in the WHERE clause. If no indexes are mentioned in the WHERE clause search, Splunk uses the default index(es). By default, role-based search filters are applied, but can be turned off in limits.conf.

2. Data manually collected with tscollect: Select from your namespace with FROM <namespace>. If you didn't supply a namespace to tscollect, the data was collected into the dispatch directory of that job. In that case, select from that data with FROM sid=<tscollect-job-id>.

3. A high-performance analytics store (collection of .tsidx data summaries) for an accelerated data model: Select from this accelerated data model with FROM datamodel=<datamodel-name>.

You might see a count mismatch in the events retrieved when searching tsidx files. This is because it's not possible to distinguish between indexed field tokens and raw tokens in tsidx files. On the other hand, it is more explicit to run tstats on accelerated datamodels or from a tscollect, where only the fields and values are stored and not the raw tokens.

Filtering with where

You can provide any number of aggregates (aggregate-opt) to perform and also have the option of providing a filtering query using the WHERE keyword. This query looks like a normal query you would use in the search processor.

Grouping by _time

You can provide any number of GROUPBY fields. If you are grouping by _time, you should supply a timespan with span for grouping the time buckets. This timespan looks like any normal timespan in Splunk, such as span='1hr' or '3d'. It also supports 'auto'.

Examples

Example 1: Gets the count of all events in the mydata namespace.

| tstats count FROM mydata

Example 2: Returns the average of the field foo in mydata, specifically where bar is value2 and the value of baz is greater than 5.

| tstats avg(foo) FROM mydata WHERE bar=value2 baz>5

Example 3: Gives the count by source for events with host=x.

| tstats count where host=x by source

Example 4: Gives a timechart of all the data in your default indexes with a day granularity.

| tstats prestats=t count by _time span=1d | timechart span=1d count

Example 5: Use prestats mode in conjunction with append to compute the median values of foo and bar, which are in different namespaces.

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »